1*0Sstevel@tonic-gate /* 2*0Sstevel@tonic-gate * CDDL HEADER START 3*0Sstevel@tonic-gate * 4*0Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*0Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*0Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*0Sstevel@tonic-gate * with the License. 8*0Sstevel@tonic-gate * 9*0Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*0Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*0Sstevel@tonic-gate * See the License for the specific language governing permissions 12*0Sstevel@tonic-gate * and limitations under the License. 13*0Sstevel@tonic-gate * 14*0Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*0Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*0Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*0Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*0Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*0Sstevel@tonic-gate * 20*0Sstevel@tonic-gate * CDDL HEADER END 21*0Sstevel@tonic-gate */ 22*0Sstevel@tonic-gate /* 23*0Sstevel@tonic-gate * Copyright 1988 Sun Microsystems, Inc. All rights reserved. 24*0Sstevel@tonic-gate * Use is subject to license terms. 25*0Sstevel@tonic-gate */ 26*0Sstevel@tonic-gate 27*0Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 28*0Sstevel@tonic-gate /* 29*0Sstevel@tonic-gate * Audit trail structures; 30*0Sstevel@tonic-gate */ 31*0Sstevel@tonic-gate 32*0Sstevel@tonic-gate #ifndef _sys_audit_h 33*0Sstevel@tonic-gate #define _sys_audit_h 34*0Sstevel@tonic-gate 35*0Sstevel@tonic-gate /* 36*0Sstevel@tonic-gate * Maximum size for audit data passed from the audit system call 37*0Sstevel@tonic-gate * This value is arbitrary, so offers of better numbers are invited. 38*0Sstevel@tonic-gate */ 39*0Sstevel@tonic-gate 40*0Sstevel@tonic-gate #define AUP_USER (0x8000) 41*0Sstevel@tonic-gate #define MAXAUDITDATA (AUP_USER - 1) 42*0Sstevel@tonic-gate #define AUDITMAGIC 0x00070009 43*0Sstevel@tonic-gate 44*0Sstevel@tonic-gate /* 45*0Sstevel@tonic-gate * Audit conditions, statements reguarding what's to be done with 46*0Sstevel@tonic-gate * audit records. 47*0Sstevel@tonic-gate */ 48*0Sstevel@tonic-gate #define AUC_UNSET 0 /* on/off hasn't been decided */ 49*0Sstevel@tonic-gate #define AUC_AUDITING 1 /* auditing is being done */ 50*0Sstevel@tonic-gate #define AUC_NOAUDIT 2 /* auditing is not being done */ 51*0Sstevel@tonic-gate #define AUC_FCHDONE 3 /* no auditing, and you never can */ 52*0Sstevel@tonic-gate 53*0Sstevel@tonic-gate /* 54*0Sstevel@tonic-gate * Minimum and maximum record type values. Change AUR_MAXRECTYPE when 55*0Sstevel@tonic-gate * adding new record types. 56*0Sstevel@tonic-gate */ 57*0Sstevel@tonic-gate #define AUR_MINRECTYPE 1 58*0Sstevel@tonic-gate #define AUR_MAXRECTYPE 63 59*0Sstevel@tonic-gate 60*0Sstevel@tonic-gate /* 61*0Sstevel@tonic-gate * Audit record type codes 62*0Sstevel@tonic-gate */ 63*0Sstevel@tonic-gate #define AUR_ACCESS 1 64*0Sstevel@tonic-gate #define AUR_CHMOD 2 65*0Sstevel@tonic-gate #define AUR_CHOWN 3 66*0Sstevel@tonic-gate #define AUR_CREAT 4 67*0Sstevel@tonic-gate #define AUR_FCHMOD 5 68*0Sstevel@tonic-gate #define AUR_FCHOWN 6 69*0Sstevel@tonic-gate #define AUR_FTRUNCATE 7 70*0Sstevel@tonic-gate #define AUR_LINK 8 71*0Sstevel@tonic-gate #define AUR_MKDIR 9 72*0Sstevel@tonic-gate #define AUR_MKNOD 10 73*0Sstevel@tonic-gate #define AUR_OPEN 11 74*0Sstevel@tonic-gate #define AUR_RMDIR 12 75*0Sstevel@tonic-gate #define AUR_RENAME 13 76*0Sstevel@tonic-gate #define AUR_STAT 14 77*0Sstevel@tonic-gate #define AUR_SYMLINK 15 78*0Sstevel@tonic-gate #define AUR_TRUNCATE 16 79*0Sstevel@tonic-gate #define AUR_UNLINK 17 80*0Sstevel@tonic-gate #define AUR_UTIMES 18 81*0Sstevel@tonic-gate #define AUR_EXECV 19 82*0Sstevel@tonic-gate #define AUR_MSGCONV 20 83*0Sstevel@tonic-gate #define AUR_MSGCTL 21 84*0Sstevel@tonic-gate #define AUR_MSGGET 22 85*0Sstevel@tonic-gate #define AUR_MSGRCV 23 86*0Sstevel@tonic-gate #define AUR_MSGSND 24 87*0Sstevel@tonic-gate #define AUR_SEMCTL 25 88*0Sstevel@tonic-gate #define AUR_SEMGET 26 89*0Sstevel@tonic-gate #define AUR_SEMOP 27 90*0Sstevel@tonic-gate #define AUR_SHMAT 28 91*0Sstevel@tonic-gate #define AUR_SHMCTL 29 92*0Sstevel@tonic-gate #define AUR_SHMDT 30 93*0Sstevel@tonic-gate #define AUR_SHMGET 31 94*0Sstevel@tonic-gate #define AUR_SOCKET 32 95*0Sstevel@tonic-gate #define AUR_PTRACE 33 96*0Sstevel@tonic-gate #define AUR_KILL 34 97*0Sstevel@tonic-gate #define AUR_KILLPG 35 98*0Sstevel@tonic-gate #define AUR_EXECVE 36 99*0Sstevel@tonic-gate #define AUR_CORE 37 100*0Sstevel@tonic-gate #define AUR_ADJTIME 38 101*0Sstevel@tonic-gate #define AUR_SETTIMEOFDAY 39 102*0Sstevel@tonic-gate #define AUR_SETHOSTNAME 40 103*0Sstevel@tonic-gate #define AUR_SETDOMAINNAME 41 104*0Sstevel@tonic-gate #define AUR_REBOOT 42 105*0Sstevel@tonic-gate #define AUR_REBOOTFAIL 43 106*0Sstevel@tonic-gate #define AUR_SYSACCT 44 107*0Sstevel@tonic-gate #define AUR_MOUNT_UFS 45 108*0Sstevel@tonic-gate #define AUR_MOUNT_NFS 46 109*0Sstevel@tonic-gate #define AUR_MOUNT 47 110*0Sstevel@tonic-gate #define AUR_UNMOUNT 48 111*0Sstevel@tonic-gate #define AUR_READLINK 49 112*0Sstevel@tonic-gate #define AUR_QUOTA_ON 50 113*0Sstevel@tonic-gate #define AUR_QUOTA_OFF 51 114*0Sstevel@tonic-gate #define AUR_QUOTA_SET 52 115*0Sstevel@tonic-gate #define AUR_QUOTA_LIM 53 116*0Sstevel@tonic-gate #define AUR_QUOTA_SYNC 54 117*0Sstevel@tonic-gate #define AUR_QUOTA 55 118*0Sstevel@tonic-gate #define AUR_STATFS 56 119*0Sstevel@tonic-gate #define AUR_CHROOT 57 120*0Sstevel@tonic-gate #define AUR_TEXT 58 121*0Sstevel@tonic-gate #define AUR_CHDIR 59 122*0Sstevel@tonic-gate #define AUR_MSGCTLRMID 60 123*0Sstevel@tonic-gate #define AUR_SEMCTL3 61 124*0Sstevel@tonic-gate #define AUR_SEMCTLALL 62 125*0Sstevel@tonic-gate #define AUR_SHMCTLRMID 63 126*0Sstevel@tonic-gate 127*0Sstevel@tonic-gate #define AUR_TRAILER 1000 128*0Sstevel@tonic-gate 129*0Sstevel@tonic-gate /* 130*0Sstevel@tonic-gate * The classes of audit events 131*0Sstevel@tonic-gate */ 132*0Sstevel@tonic-gate #define AU_DREAD 0x00000001 133*0Sstevel@tonic-gate #define AU_DWRITE 0x00000002 134*0Sstevel@tonic-gate #define AU_DACCESS 0x00000004 135*0Sstevel@tonic-gate #define AU_DCREATE 0x00000008 136*0Sstevel@tonic-gate #define AU_LOGIN 0x00000010 137*0Sstevel@tonic-gate #define AU_SREAD 0x00000020 138*0Sstevel@tonic-gate #define AU_SCTL 0x00000040 139*0Sstevel@tonic-gate #define AU_MINPRIV 0x00000080 140*0Sstevel@tonic-gate #define AU_MAJPRIV 0x00000100 141*0Sstevel@tonic-gate #define AU_ADMIN 0x00000200 142*0Sstevel@tonic-gate #define AU_ASSIGN 0x00000400 143*0Sstevel@tonic-gate 144*0Sstevel@tonic-gate /* 145*0Sstevel@tonic-gate * Success and failure are defined here because not everyone agrees on 146*0Sstevel@tonic-gate * which values rate success and which failure. 147*0Sstevel@tonic-gate */ 148*0Sstevel@tonic-gate #define AU_EITHER -1 149*0Sstevel@tonic-gate #define AU_SUCCESS 0 150*0Sstevel@tonic-gate #define AU_FAILURE 1 151*0Sstevel@tonic-gate 152*0Sstevel@tonic-gate /* 153*0Sstevel@tonic-gate * The user id -2(0xfffe) is never audited - in fact, a setauid(AU_NOAUDITID) 154*0Sstevel@tonic-gate * will turn off auditing. 155*0Sstevel@tonic-gate */ 156*0Sstevel@tonic-gate #define AU_NOAUDITID -2 157*0Sstevel@tonic-gate 158*0Sstevel@tonic-gate /* 159*0Sstevel@tonic-gate * The sturcture of the audit state 160*0Sstevel@tonic-gate */ 161*0Sstevel@tonic-gate struct audit_state { 162*0Sstevel@tonic-gate unsigned int as_success; /* success bits */ 163*0Sstevel@tonic-gate unsigned int as_failure; /* failure bits */ 164*0Sstevel@tonic-gate }; 165*0Sstevel@tonic-gate typedef struct audit_state audit_state_t; 166*0Sstevel@tonic-gate 167*0Sstevel@tonic-gate /* 168*0Sstevel@tonic-gate * The audit file header structure. 169*0Sstevel@tonic-gate * In the file it will be followed by a path name, the length of which is 170*0Sstevel@tonic-gate * kept in the ah_namelen field. 171*0Sstevel@tonic-gate */ 172*0Sstevel@tonic-gate struct audit_header { 173*0Sstevel@tonic-gate int ah_magic; /* magic number */ 174*0Sstevel@tonic-gate time_t ah_time; /* the time */ 175*0Sstevel@tonic-gate short ah_namelen; /* length of file name */ 176*0Sstevel@tonic-gate }; 177*0Sstevel@tonic-gate typedef struct audit_header audit_header_t; 178*0Sstevel@tonic-gate 179*0Sstevel@tonic-gate /* 180*0Sstevel@tonic-gate * The audit file trailer record structure. 181*0Sstevel@tonic-gate * In the file it will be followed by a path name, the length of which is 182*0Sstevel@tonic-gate * kept in the at_namelen field. 183*0Sstevel@tonic-gate */ 184*0Sstevel@tonic-gate struct audit_trailer { 185*0Sstevel@tonic-gate short at_record_size; /* size of this */ 186*0Sstevel@tonic-gate short at_record_type; /* its type, a trailer */ 187*0Sstevel@tonic-gate time_t at_time; /* the time */ 188*0Sstevel@tonic-gate short at_namelen; /* length of file name */ 189*0Sstevel@tonic-gate }; 190*0Sstevel@tonic-gate typedef struct audit_trailer audit_trailer_t; 191*0Sstevel@tonic-gate 192*0Sstevel@tonic-gate /* 193*0Sstevel@tonic-gate * The audit file record structure. 194*0Sstevel@tonic-gate * au_record_size is the size of the entire record. 195*0Sstevel@tonic-gate * au_param_count is the number of data items which follow the record. 196*0Sstevel@tonic-gate * There is a short ( 16 bit ) length for each of the following 197*0Sstevel@tonic-gate * parameters, then the parameters themselves. There is no way to know 198*0Sstevel@tonic-gate * what the parameters are from the data, unless the au_record_type 199*0Sstevel@tonic-gate * is understood. 200*0Sstevel@tonic-gate * The first parameter is the group list, hence au_param_count will 201*0Sstevel@tonic-gate * always be at least one. 202*0Sstevel@tonic-gate */ 203*0Sstevel@tonic-gate struct audit_record { 204*0Sstevel@tonic-gate short au_record_size; /* size of this */ 205*0Sstevel@tonic-gate short au_record_type; /* its type */ 206*0Sstevel@tonic-gate unsigned int au_event; /* the event */ 207*0Sstevel@tonic-gate time_t au_time; /* the time */ 208*0Sstevel@tonic-gate uid_t au_uid; /* real uid */ 209*0Sstevel@tonic-gate uid_t au_auid; /* audit uid */ 210*0Sstevel@tonic-gate uid_t au_euid; /* effective */ 211*0Sstevel@tonic-gate gid_t au_gid; /* real group */ 212*0Sstevel@tonic-gate short au_pid; /* process id */ 213*0Sstevel@tonic-gate int au_errno; /* error code */ 214*0Sstevel@tonic-gate int au_return; /* a return value */ 215*0Sstevel@tonic-gate blabel_t au_label; /* also ... */ 216*0Sstevel@tonic-gate short au_param_count; /* # of parameters */ 217*0Sstevel@tonic-gate }; 218*0Sstevel@tonic-gate typedef struct audit_record audit_record_t; 219*0Sstevel@tonic-gate 220*0Sstevel@tonic-gate /* 221*0Sstevel@tonic-gate * This structure controls a buffer for generating full pathnames 222*0Sstevel@tonic-gate * for filenames. 223*0Sstevel@tonic-gate */ 224*0Sstevel@tonic-gate struct au_path_s { 225*0Sstevel@tonic-gate u_int ap_size; /* Size of buffer */ 226*0Sstevel@tonic-gate caddr_t ap_buf; /* Address of buffer */ 227*0Sstevel@tonic-gate caddr_t ap_ptr; /* Current position */ 228*0Sstevel@tonic-gate }; 229*0Sstevel@tonic-gate typedef struct au_path_s au_path_t; 230*0Sstevel@tonic-gate 231*0Sstevel@tonic-gate #define AU_ALIGN(x) (((x) + 1) & ~1) 232*0Sstevel@tonic-gate 233*0Sstevel@tonic-gate #endif /*!_sys_audit_h*/ 234